CPCSC Compliance & vCISO Strategy
Secure Your DND Contracts
Don't just tick boxes. Build a resilient, contract-ready business with Canada’s leaders in risk-based cybersecurity.
The Canadian Program for Cyber Security Certification (CPCSC) is a Government of Canada program for defence suppliers. It introduces cyber security requirements for organizations bidding on or working on certain federal defence contracts.
What is CPCSC?
CPCSC establishes a structured certification model for defence suppliers, using controls, assessments, contract clauses, and third-party oversight depending on the certification level required.
The program is intended to protect sensitive contractual information, strengthen the defence supply chain, and help Canadian suppliers stay aligned with procurement expectations.
The CPCSC Landscape (Spring 2026 Update)
The Canadian Program for Cyber Security Certification is now mandatory for suppliers bidding on Department of National Defence (DND) contracts.
The Reality for 2026: As of April 2026, Level 1 Self-Attestation is no longer a suggestion; it is required at the time of contract award. If your CanadaBuys profile isn’t ready, your bid isn’t valid.
CPCSC has 3 certification levels
Level 1:
Basic Cyber Security
Designed around foundational cyber security practices and an annual self-assessment.
Including: Security basics and governance,
Access control and authentication measures,
Protection of contract-related information,
Annual self-assessment support.
Level 2:
Advanced Cyber Security
Requires external cyber security assessments led by an accredited certification body, plus annual affirmation.
Including: Enhanced control implementation,
Independent certification process,
Documentation and evidence preparation,
Readiness for formal assessment.
Level 3:
Highest Security Level
Applies to higher-sensitivity requirements and includes cyber security assessments conducted by National Defence, plus annual affirmation.
Including: Higher-assurance requirements,
Government-led assessment readiness,
Stronger control maturity,
Ongoing compliance support.
How RiskAware helps your business with CPCSC
Practical support for CPCSC readiness: We help organizations build a right-sized compliance program that fits their operations, timelines, and contract goals.
CPCSC Gap Assessments
Evaluate your current security posture against likely CPCSC requirements and identify the most important remediation priorities.
Policy Development
Develop and refine policies, standards, and procedures that align with your compliance objectives and operational reality.
Implementation Support
Improve access management, authentication, asset handling, technical safeguards, and operational processes required for readiness.
Level 1 Self-Assessment Preparation
Prepare documentation, evidence, and internal review workflows to support annual self-assessment expectations.
Executive & Advisory Support
Get strategic guidance from experienced cyber security leaders to help your team make decisions, sequence work, and reduce risk.
Ongoing Compliance Readiness
Maintain momentum with continuing support as contract requirements evolve and your business grows.
Our "Risk-First" Methodology
A 4-step path to clearing the CPCSC hurdle.
01. Scope & Segment
We don't secure your whole office if we only need to secure your "Controlled Information." We identify your data boundaries to reduce your compliance costs.
02. Gap Analysis (NIST 800-171 / ITSP.10.171)
We map your current environment against the 97+ controls. You get a prioritized Plan of Action and Milestones (POA&M) that focuses on "non-deferrable" security first.
03. Policy & Artifact Creation
Compliance is 50% technical and 50% documentation. We draft the policies, training records, and system logs required to prove you are doing what you say you are doing.
04. Continuous Affirmation
CPCSC isn't "one and done." We provide ongoing vCISO oversight to ensure that as your business grows (or the DND adds rules), you stay eligible for every RFP.
Who We Serve
- Primary Defence Contractors: Needing Level 2/3 certification.
- Specialized Subcontractors: Needing to prove Level 1 readiness to their prime partners.
- Aerospace & Tech Firms: Looking to bridge the gap between US CMMC and Canadian CPCSC.
Frequently asked questions about CPCSC
What is CPCSC?
CPCSC is the Canadian Program for Cyber Security Certification for defence suppliers. It introduces cyber security certification requirements for organizations bidding on or working on certain Government of Canada defence contracts.
When did CPCSC start?
Phase 1 of CPCSC launched on March 12, 2025, with a phased rollout intended to help suppliers prepare before broader implementation.
How many CPCSC levels are there?
There are 3 levels. Level 1 requires an annual self-assessment, Level 2 requires an external assessment by an accredited certification body plus annual affirmation, and Level 3 requires National Defence-led assessments plus annual affirmation.
When will CPCSC requirements appear in contracts?
As of spring 2026, new National Defence RFPs identified through cyber security risk assessment require mandatory CPCSC cyber security requirements.
Can RiskAware help with CPCSC Level 1?
Yes. RiskAware can help your organization prepare for Level 1 through gap assessments, policy development, control improvements, and self-assessment readiness support.